config vpn certificate setting
VPN certificate setting.
config vpn certificate setting
Description: VPN certificate setting.
set ocsp-status [enable|disable]
set ocsp-option [certificate|server]
set ssl-ocsp-source-ip {ipv4-address}
set ocsp-default-server {string}
set interface-select-method [auto|sdwan|...]
set interface {string}
set check-ca-cert [enable|disable]
set check-ca-chain [enable|disable]
set subject-match [substring|value]
set subject-set [subset|superset]
set cn-match [substring|value]
set cn-allow-multi [disable|enable]
config crl-verification
Description: CRL verification options.
set expiry [ignore|revoke]
set leaf-crl-absence [ignore|revoke]
set chain-crl-absence [ignore|revoke]
end
set strict-ocsp-check [enable|disable]
set ssl-min-proto-version [default|SSLv3|...]
set cmp-save-extra-certs [enable|disable]
set cmp-key-usage-checking [enable|disable]
set certname-rsa1024 {string}
set certname-rsa2048 {string}
set certname-rsa4096 {string}
set certname-dsa1024 {string}
set certname-dsa2048 {string}
set certname-ecdsa256 {string}
set certname-ecdsa384 {string}
set certname-ecdsa521 {string}
set certname-ed25519 {string}
set certname-ed448 {string}
end
config vpn certificate setting
Parameter |
Description |
Type |
Size |
Default |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
ocsp-status |
Enable/disable receiving certificates using the OCSP. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
ocsp-option |
Specify whether the OCSP URL is from certificate or configured OCSP server. |
option |
- |
server |
||||||||||||
|
|
|||||||||||||||
ssl-ocsp-source-ip |
Source IP address to use to communicate with the OCSP server. |
ipv4-address |
Not Specified |
0.0.0.0 |
||||||||||||
ocsp-default-server |
Default OCSP server. |
string |
Maximum length: 35 |
|
||||||||||||
interface-select-method |
Specify how to select outgoing interface to reach server. |
option |
- |
auto |
||||||||||||
|
|
|||||||||||||||
interface |
Specify outgoing interface to reach server. |
string |
Maximum length: 15 |
|
||||||||||||
check-ca-cert |
Enable/disable verification of the user certificate and pass authentication if any CA in the chain is trusted . |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
check-ca-chain |
Enable/disable verification of the entire certificate chain and pass authentication only if the chain is complete and all of the CAs in the chain are trusted . |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
subject-match |
When searching for a matching certificate, control how to do RDN value matching with certificate subject name . |
option |
- |
substring |
||||||||||||
|
|
|||||||||||||||
subject-set |
When searching for a matching certificate, control how to do RDN set matching with certificate subject name . |
option |
- |
subset |
||||||||||||
|
|
|||||||||||||||
cn-match |
When searching for a matching certificate, control how to do CN value matching with certificate subject name . |
option |
- |
substring |
||||||||||||
|
|
|||||||||||||||
cn-allow-multi |
When searching for a matching certificate, allow multiple CN fields in certificate subject name . |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
strict-ocsp-check |
Enable/disable strict mode OCSP checking. |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
ssl-min-proto-version |
Minimum supported protocol version for SSL/TLS connections . |
option |
- |
default |
||||||||||||
|
|
|||||||||||||||
cmp-save-extra-certs |
Enable/disable saving extra certificates in CMP mode . |
option |
- |
disable |
||||||||||||
|
|
|||||||||||||||
cmp-key-usage-checking |
Enable/disable server certificate key usage checking in CMP mode . |
option |
- |
enable |
||||||||||||
|
|
|||||||||||||||
certname-rsa1024 |
1024 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA1024 |
||||||||||||
certname-rsa2048 |
2048 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA2048 |
||||||||||||
certname-rsa4096 |
4096 bit RSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_RSA4096 |
||||||||||||
certname-dsa1024 |
1024 bit DSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_DSA1024 |
||||||||||||
certname-dsa2048 |
2048 bit DSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_DSA2048 |
||||||||||||
certname-ecdsa256 |
256 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA256 |
||||||||||||
certname-ecdsa384 |
384 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA384 |
||||||||||||
certname-ecdsa521 |
521 bit ECDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ECDSA521 |
||||||||||||
certname-ed25519 |
253 bit EdDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ED25519 |
||||||||||||
certname-ed448 |
456 bit EdDSA key certificate for re-signing server certificates for SSL inspection. |
string |
Maximum length: 35 |
Fortinet_SSL_ED448 |
config crl-verification
Parameter |
Description |
Type |
Size |
Default |
||||||
---|---|---|---|---|---|---|---|---|---|---|
expiry |
CRL verification option when CRL is expired . |
option |
- |
ignore |
||||||
|
|
|||||||||
leaf-crl-absence |
CRL verification option when leaf CRL is absent . |
option |
- |
ignore |
||||||
|
|
|||||||||
chain-crl-absence |
CRL verification option when CRL of any certificate in chain is absent . |
option |
- |
ignore |
||||||
|
|